Flash Security for Variables?

TsX

Graduate

Posts: 167

3+ Months Ago

I have a variable inside of a flash movie (it is retrieved from a php file), is that variable secure from being viewed? Is it even possible to make "manual" changes to variables, or view variables that are not printed out in the movie?

Novice to Flash Actionscript

lostinbeta

Guru

Posts: 1402

Loc: Philadelphia, PA

3+ Months Ago

No it isn't possible for a viewer to manipulate variables within a flash from from outside of the Flash file. Unless they decompile it for themselves, but even so it doesn't effect the movie on your server so you have nothing to worry about.

joebert

Genius

Posts: 13511

Loc: Florida

3+ Months Ago

Variables placed on the _root timeline are over-ridable via the url that embeds the swf in a page, or accessing the swf directly in a web browser.

Text fields using instance names are NOT accessable via "textfield.text", variables contained within a movieclip are NOT accessable either.

Rule of thumb, if the variable requires a . (dot) to get accessed from _root you can NOT access that variable through the querystring.

Saving grace, they have to know the exact name of the variable to access it, which brings us to the decompilation lostinbeta mentioned.

lostinbeta

Guru

Posts: 1402

Loc: Philadelphia, PA

3+ Months Ago

joebert wrote:

Variables placed on the _root timeline are over-ridable via the url that embeds the swf in a page, or accessing the swf directly in a web browser.

Yes they are, but that has to be coded into the page (either hard coded or using PHP query string), so while it is possible for the author to overwrite them by adding that into a page, it is impossible for a viewer to manipulate the variable using that method.

/* Commenting this line out allows the textbox "one" to get over-ridden via querystring, removing the comment seems to stop it */
//one = 'One';

/* Type casted variables of AS2 seem to be exempt from the querystring, neither of theese next two are allowing me to over-ride */

var two:String = 'Two';
two = 'Two';
_two.text = two;

var three:String = 'Three';
_three.text = three;

/* Commenting this line out allows the textbox "one" to get over-ridden via querystring, removing the comment seems to stop it */

//one = 'One';

/* Type casted variables of AS2 seem to be exempt from the querystring, neither of theese next two are allowing me to over-ride */

var two:String = 'Two';

two = 'Two';

_two.text = two;

var three:String = 'Three';

_three.text = three;

Interesting find about AS2 to say the least.

//edit - I wonder if there's some sort of "varname:Querystring =" syntax now.

lostinbeta

Guru

Posts: 1402

Loc: Philadelphia, PA

3+ Months Ago

So apparently AS2.0 doesn't have the same import vulnerability as MX. You can't import a variable that already exists on the _root timeline.

At least that's what I'm getting from your example if I understand correctly (MX user here). And if indeed it is the case that you can't overwrite a variable that exists no :QueryString type would be required because variables can apparently be imported through query strings, unless they are already defined on the timeline.

But I guess var names for textboxes don't count for that.

Very odd.

[EDIT]
Just ran the test in MX... The same results happen. If the var is defined on the _root timeline you can't import via query string. And just as your test... if it is a textbox with a var name, it can be overwritten. So it absolutely has to be defined on the frame. You can still have the textbox with a var name, but you have to assign it's default value on the frame and not inside the textbox.
[/EDIT]

joebert

Genius

Posts: 13511

Loc: Florida

3+ Months Ago

I'm tempted to break out a book on Java to see just how many similarities there are, first thing I thought of when viewing AS2 for the first time was "This looks like Java syntax."

Based on the abundance of Java involved in Macromedias backend applications I guess it would make sense to bring the client-side language closer.

Can't help but wonder a little more about why Macromedia decided to "sell out" to Adobe.

lostinbeta

Guru

Posts: 1402

Loc: Philadelphia, PA

3+ Months Ago

Yeah, that's what a friend of mine said when I showed her AS2.0... she was like 'wow this is like Java'...lol.

I know AS1.0 was based off ECMAScript, which is what JavaScript 1.x is based off of. That's how I learned ActionScript, because I knew JavaScript first.

AS2.0 however is based off of ECMAScript Edition 4 proposal, which is what Javascript 2.0 will be based off of and will be pulling ECMAScript closer to Java style coding.

So basically while AS1 is almost like JavaScript, AS2 is almost like Java.

TsX

Graduate

Posts: 167

3+ Months Ago

wow...

(lol, I would post only that, but its sort of spamming. I understand most of this, but I'll be reading it over again)